import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Manages a connection in an existing Virtual Network Gateway. * * ## Example Usage * * ### Site-to-Site connection * * The following example shows a connection between an Azure virtual network * and an on-premises VPN device and network. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "test", * location: "West US", * }); * const exampleVirtualNetwork = new azure.network.VirtualNetwork("example", { * name: "test", * location: example.location, * resourceGroupName: example.name, * addressSpaces: ["10.0.0.0/16"], * }); * const exampleSubnet = new azure.network.Subnet("example", { * name: "GatewaySubnet", * resourceGroupName: example.name, * virtualNetworkName: exampleVirtualNetwork.name, * addressPrefixes: ["10.0.1.0/24"], * }); * const onpremise = new azure.network.LocalNetworkGateway("onpremise", { * name: "onpremise", * location: example.location, * resourceGroupName: example.name, * gatewayAddress: "168.62.225.23", * addressSpaces: ["10.1.1.0/24"], * }); * const examplePublicIp = new azure.network.PublicIp("example", { * name: "test", * location: example.location, * resourceGroupName: example.name, * allocationMethod: "Dynamic", * }); * const exampleVirtualNetworkGateway = new azure.network.VirtualNetworkGateway("example", { * name: "test", * location: example.location, * resourceGroupName: example.name, * type: "Vpn", * vpnType: "RouteBased", * activeActive: false, * bgpEnabled: false, * sku: "Basic", * ipConfigurations: [{ * publicIpAddressId: examplePublicIp.id, * privateIpAddressAllocation: "Dynamic", * subnetId: exampleSubnet.id, * }], * }); * const onpremiseVirtualNetworkGatewayConnection = new azure.network.VirtualNetworkGatewayConnection("onpremise", { * name: "onpremise", * location: example.location, * resourceGroupName: example.name, * type: "IPsec", * virtualNetworkGatewayId: exampleVirtualNetworkGateway.id, * localNetworkGatewayId: onpremise.id, * sharedKey: "4-v3ry-53cr37-1p53c-5h4r3d-k3y", * }); * ``` * * ### VNet-to-VNet connection * * The following example shows a connection between two Azure virtual network * in different locations/regions. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const us = new azure.core.ResourceGroup("us", { * name: "us", * location: "East US", * }); * const usVirtualNetwork = new azure.network.VirtualNetwork("us", { * name: "us", * location: us.location, * resourceGroupName: us.name, * addressSpaces: ["10.0.0.0/16"], * }); * const usGateway = new azure.network.Subnet("us_gateway", { * name: "GatewaySubnet", * resourceGroupName: us.name, * virtualNetworkName: usVirtualNetwork.name, * addressPrefixes: ["10.0.1.0/24"], * }); * const usPublicIp = new azure.network.PublicIp("us", { * name: "us", * location: us.location, * resourceGroupName: us.name, * allocationMethod: "Dynamic", * }); * const usVirtualNetworkGateway = new azure.network.VirtualNetworkGateway("us", { * name: "us-gateway", * location: us.location, * resourceGroupName: us.name, * type: "Vpn", * vpnType: "RouteBased", * sku: "Basic", * ipConfigurations: [{ * publicIpAddressId: usPublicIp.id, * privateIpAddressAllocation: "Dynamic", * subnetId: usGateway.id, * }], * }); * const europe = new azure.core.ResourceGroup("europe", { * name: "europe", * location: "West Europe", * }); * const europeVirtualNetwork = new azure.network.VirtualNetwork("europe", { * name: "europe", * location: europe.location, * resourceGroupName: europe.name, * addressSpaces: ["10.1.0.0/16"], * }); * const europeGateway = new azure.network.Subnet("europe_gateway", { * name: "GatewaySubnet", * resourceGroupName: europe.name, * virtualNetworkName: europeVirtualNetwork.name, * addressPrefixes: ["10.1.1.0/24"], * }); * const europePublicIp = new azure.network.PublicIp("europe", { * name: "europe", * location: europe.location, * resourceGroupName: europe.name, * allocationMethod: "Dynamic", * }); * const europeVirtualNetworkGateway = new azure.network.VirtualNetworkGateway("europe", { * name: "europe-gateway", * location: europe.location, * resourceGroupName: europe.name, * type: "Vpn", * vpnType: "RouteBased", * sku: "Basic", * ipConfigurations: [{ * publicIpAddressId: europePublicIp.id, * privateIpAddressAllocation: "Dynamic", * subnetId: europeGateway.id, * }], * }); * const usToEurope = new azure.network.VirtualNetworkGatewayConnection("us_to_europe", { * name: "us-to-europe", * location: us.location, * resourceGroupName: us.name, * type: "Vnet2Vnet", * virtualNetworkGatewayId: usVirtualNetworkGateway.id, * peerVirtualNetworkGatewayId: europeVirtualNetworkGateway.id, * sharedKey: "4-v3ry-53cr37-1p53c-5h4r3d-k3y", * }); * const europeToUs = new azure.network.VirtualNetworkGatewayConnection("europe_to_us", { * name: "europe-to-us", * location: europe.location, * resourceGroupName: europe.name, * type: "Vnet2Vnet", * virtualNetworkGatewayId: europeVirtualNetworkGateway.id, * peerVirtualNetworkGatewayId: usVirtualNetworkGateway.id, * sharedKey: "4-v3ry-53cr37-1p53c-5h4r3d-k3y", * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.Network` - 2025-01-01 * * ## Import * * Virtual Network Gateway Connections can be imported using their `resource id`, e.g. * * ```sh * $ pulumi import azure:network/virtualNetworkGatewayConnection:VirtualNetworkGatewayConnection exampleConnection /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup1/providers/Microsoft.Network/connections/myConnection1 * ``` */ export declare class VirtualNetworkGatewayConnection extends pulumi.CustomResource { /** * Get an existing VirtualNetworkGatewayConnection resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: VirtualNetworkGatewayConnectionState, opts?: pulumi.CustomResourceOptions): VirtualNetworkGatewayConnection; /** * Returns true if the given object is an instance of VirtualNetworkGatewayConnection. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is VirtualNetworkGatewayConnection; /** * The authorization key associated with the Express Route Circuit. This field is required only if the type is an ExpressRoute connection. */ readonly authorizationKey: pulumi.Output; /** * If `true`, BGP (Border Gateway Protocol) is enabled for this connection. Defaults to `false`. */ readonly bgpEnabled: pulumi.Output; /** * Connection mode to use. Possible values are `Default`, `InitiatorOnly` and `ResponderOnly`. Defaults to `Default`. Changing this value will force a resource to be created. */ readonly connectionMode: pulumi.Output; /** * The IKE protocol version to use. Possible values are `IKEv1` and `IKEv2`, values are `IKEv1` and `IKEv2`. Defaults to `IKEv2`. Changing this forces a new resource to be created. * > **Note:** Only valid for `IPSec` connections on virtual network gateways with SKU `VpnGw1`, `VpnGw2`, `VpnGw3`, `VpnGw1AZ`, `VpnGw2AZ` or `VpnGw3AZ`. */ readonly connectionProtocol: pulumi.Output; /** * A `customBgpAddresses` block which is documented below. * The block can only be used on `IPSec` / `activeactive` connections, * For details about see [the relevant section in the Azure documentation](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp). */ readonly customBgpAddresses: pulumi.Output; /** * The dead peer detection timeout of this connection in seconds. Changing this forces a new resource to be created. */ readonly dpdTimeoutSeconds: pulumi.Output; /** * A list of the egress NAT Rule Ids. */ readonly egressNatRuleIds: pulumi.Output; /** * @deprecated the `enableBgp` property has been deprecated in favour of the `bgpEnabled` property and will be removed in v5.0 of the AzureRM Provider */ readonly enableBgp: pulumi.Output; /** * The ID of the Express Route Circuit when creating an ExpressRoute connection (i.e. when `type` is `ExpressRoute`). The Express Route Circuit can be in the same or in a different subscription. Changing this forces a new resource to be created. */ readonly expressRouteCircuitId: pulumi.Output; /** * If `true`, data packets will bypass ExpressRoute Gateway for data forwarding This is only valid for ExpressRoute connections. */ readonly expressRouteGatewayBypass: pulumi.Output; /** * A list of the ingress NAT Rule Ids. */ readonly ingressNatRuleIds: pulumi.Output; /** * A `ipsecPolicy` block which is documented below. * Only a single policy can be defined for a connection. For details on * custom policies refer to [the relevant section in the Azure documentation](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell). */ readonly ipsecPolicy: pulumi.Output; /** * Use private local Azure IP for the connection. Changing this forces a new resource to be created. */ readonly localAzureIpAddressEnabled: pulumi.Output; /** * The ID of the local network gateway when creating Site-to-Site connection (i.e. when `type` is `IPsec`). */ readonly localNetworkGatewayId: pulumi.Output; /** * The location/region where the connection is located. Changing this forces a new resource to be created. */ readonly location: pulumi.Output; /** * The name of the connection. Changing the name forces a new resource to be created. */ readonly name: pulumi.Output; /** * The ID of the peer virtual network gateway when creating a VNet-to-VNet connection (i.e. when `type` is `Vnet2Vnet`). The peer Virtual Network Gateway can be in the same or in a different subscription. Changing this forces a new resource to be created. */ readonly peerVirtualNetworkGatewayId: pulumi.Output; /** * Bypass the Express Route gateway when accessing private-links. When enabled `expressRouteGatewayBypass` must be set to `true`. Defaults to `false`. */ readonly privateLinkFastPathEnabled: pulumi.Output; /** * The name of the resource group in which to create the connection Changing this forces a new resource to be created. */ readonly resourceGroupName: pulumi.Output; /** * The routing weight. Defaults to `10`. */ readonly routingWeight: pulumi.Output; /** * The shared IPSec key. A key could be provided if a Site-to-Site, VNet-to-VNet or ExpressRoute connection is created. */ readonly sharedKey: pulumi.Output; /** * A mapping of tags to assign to the resource. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * One or more `trafficSelectorPolicy` blocks which are documented below. * A `trafficSelectorPolicy` allows to specify a traffic selector policy proposal to be used in a virtual network gateway connection. * For details about traffic selectors refer to [the relevant section in the Azure documentation](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps). */ readonly trafficSelectorPolicy: pulumi.Output; /** * The type of connection. Valid options are `IPsec` (Site-to-Site), `ExpressRoute` (ExpressRoute), and `Vnet2Vnet` (VNet-to-VNet). Each connection type requires different mandatory arguments (refer to the examples above). Changing this forces a new resource to be created. */ readonly type: pulumi.Output; /** * If `true`, policy-based traffic selectors are enabled for this connection. Enabling policy-based traffic selectors requires an `ipsecPolicy` block. Defaults to `false`. */ readonly usePolicyBasedTrafficSelectors: pulumi.Output; /** * The ID of the Virtual Network Gateway in which the connection will be created. Changing this forces a new resource to be created. */ readonly virtualNetworkGatewayId: pulumi.Output; /** * Create a VirtualNetworkGatewayConnection resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: VirtualNetworkGatewayConnectionArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering VirtualNetworkGatewayConnection resources. */ export interface VirtualNetworkGatewayConnectionState { /** * The authorization key associated with the Express Route Circuit. This field is required only if the type is an ExpressRoute connection. */ authorizationKey?: pulumi.Input; /** * If `true`, BGP (Border Gateway Protocol) is enabled for this connection. Defaults to `false`. */ bgpEnabled?: pulumi.Input; /** * Connection mode to use. Possible values are `Default`, `InitiatorOnly` and `ResponderOnly`. Defaults to `Default`. Changing this value will force a resource to be created. */ connectionMode?: pulumi.Input; /** * The IKE protocol version to use. Possible values are `IKEv1` and `IKEv2`, values are `IKEv1` and `IKEv2`. Defaults to `IKEv2`. Changing this forces a new resource to be created. * > **Note:** Only valid for `IPSec` connections on virtual network gateways with SKU `VpnGw1`, `VpnGw2`, `VpnGw3`, `VpnGw1AZ`, `VpnGw2AZ` or `VpnGw3AZ`. */ connectionProtocol?: pulumi.Input; /** * A `customBgpAddresses` block which is documented below. * The block can only be used on `IPSec` / `activeactive` connections, * For details about see [the relevant section in the Azure documentation](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp). */ customBgpAddresses?: pulumi.Input; /** * The dead peer detection timeout of this connection in seconds. Changing this forces a new resource to be created. */ dpdTimeoutSeconds?: pulumi.Input; /** * A list of the egress NAT Rule Ids. */ egressNatRuleIds?: pulumi.Input[]>; /** * @deprecated the `enableBgp` property has been deprecated in favour of the `bgpEnabled` property and will be removed in v5.0 of the AzureRM Provider */ enableBgp?: pulumi.Input; /** * The ID of the Express Route Circuit when creating an ExpressRoute connection (i.e. when `type` is `ExpressRoute`). The Express Route Circuit can be in the same or in a different subscription. Changing this forces a new resource to be created. */ expressRouteCircuitId?: pulumi.Input; /** * If `true`, data packets will bypass ExpressRoute Gateway for data forwarding This is only valid for ExpressRoute connections. */ expressRouteGatewayBypass?: pulumi.Input; /** * A list of the ingress NAT Rule Ids. */ ingressNatRuleIds?: pulumi.Input[]>; /** * A `ipsecPolicy` block which is documented below. * Only a single policy can be defined for a connection. For details on * custom policies refer to [the relevant section in the Azure documentation](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell). */ ipsecPolicy?: pulumi.Input; /** * Use private local Azure IP for the connection. Changing this forces a new resource to be created. */ localAzureIpAddressEnabled?: pulumi.Input; /** * The ID of the local network gateway when creating Site-to-Site connection (i.e. when `type` is `IPsec`). */ localNetworkGatewayId?: pulumi.Input; /** * The location/region where the connection is located. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * The name of the connection. Changing the name forces a new resource to be created. */ name?: pulumi.Input; /** * The ID of the peer virtual network gateway when creating a VNet-to-VNet connection (i.e. when `type` is `Vnet2Vnet`). The peer Virtual Network Gateway can be in the same or in a different subscription. Changing this forces a new resource to be created. */ peerVirtualNetworkGatewayId?: pulumi.Input; /** * Bypass the Express Route gateway when accessing private-links. When enabled `expressRouteGatewayBypass` must be set to `true`. Defaults to `false`. */ privateLinkFastPathEnabled?: pulumi.Input; /** * The name of the resource group in which to create the connection Changing this forces a new resource to be created. */ resourceGroupName?: pulumi.Input; /** * The routing weight. Defaults to `10`. */ routingWeight?: pulumi.Input; /** * The shared IPSec key. A key could be provided if a Site-to-Site, VNet-to-VNet or ExpressRoute connection is created. */ sharedKey?: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * One or more `trafficSelectorPolicy` blocks which are documented below. * A `trafficSelectorPolicy` allows to specify a traffic selector policy proposal to be used in a virtual network gateway connection. * For details about traffic selectors refer to [the relevant section in the Azure documentation](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps). */ trafficSelectorPolicy?: pulumi.Input; /** * The type of connection. Valid options are `IPsec` (Site-to-Site), `ExpressRoute` (ExpressRoute), and `Vnet2Vnet` (VNet-to-VNet). Each connection type requires different mandatory arguments (refer to the examples above). Changing this forces a new resource to be created. */ type?: pulumi.Input; /** * If `true`, policy-based traffic selectors are enabled for this connection. Enabling policy-based traffic selectors requires an `ipsecPolicy` block. Defaults to `false`. */ usePolicyBasedTrafficSelectors?: pulumi.Input; /** * The ID of the Virtual Network Gateway in which the connection will be created. Changing this forces a new resource to be created. */ virtualNetworkGatewayId?: pulumi.Input; } /** * The set of arguments for constructing a VirtualNetworkGatewayConnection resource. */ export interface VirtualNetworkGatewayConnectionArgs { /** * The authorization key associated with the Express Route Circuit. This field is required only if the type is an ExpressRoute connection. */ authorizationKey?: pulumi.Input; /** * If `true`, BGP (Border Gateway Protocol) is enabled for this connection. Defaults to `false`. */ bgpEnabled?: pulumi.Input; /** * Connection mode to use. Possible values are `Default`, `InitiatorOnly` and `ResponderOnly`. Defaults to `Default`. Changing this value will force a resource to be created. */ connectionMode?: pulumi.Input; /** * The IKE protocol version to use. Possible values are `IKEv1` and `IKEv2`, values are `IKEv1` and `IKEv2`. Defaults to `IKEv2`. Changing this forces a new resource to be created. * > **Note:** Only valid for `IPSec` connections on virtual network gateways with SKU `VpnGw1`, `VpnGw2`, `VpnGw3`, `VpnGw1AZ`, `VpnGw2AZ` or `VpnGw3AZ`. */ connectionProtocol?: pulumi.Input; /** * A `customBgpAddresses` block which is documented below. * The block can only be used on `IPSec` / `activeactive` connections, * For details about see [the relevant section in the Azure documentation](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp). */ customBgpAddresses?: pulumi.Input; /** * The dead peer detection timeout of this connection in seconds. Changing this forces a new resource to be created. */ dpdTimeoutSeconds?: pulumi.Input; /** * A list of the egress NAT Rule Ids. */ egressNatRuleIds?: pulumi.Input[]>; /** * @deprecated the `enableBgp` property has been deprecated in favour of the `bgpEnabled` property and will be removed in v5.0 of the AzureRM Provider */ enableBgp?: pulumi.Input; /** * The ID of the Express Route Circuit when creating an ExpressRoute connection (i.e. when `type` is `ExpressRoute`). The Express Route Circuit can be in the same or in a different subscription. Changing this forces a new resource to be created. */ expressRouteCircuitId?: pulumi.Input; /** * If `true`, data packets will bypass ExpressRoute Gateway for data forwarding This is only valid for ExpressRoute connections. */ expressRouteGatewayBypass?: pulumi.Input; /** * A list of the ingress NAT Rule Ids. */ ingressNatRuleIds?: pulumi.Input[]>; /** * A `ipsecPolicy` block which is documented below. * Only a single policy can be defined for a connection. For details on * custom policies refer to [the relevant section in the Azure documentation](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell). */ ipsecPolicy?: pulumi.Input; /** * Use private local Azure IP for the connection. Changing this forces a new resource to be created. */ localAzureIpAddressEnabled?: pulumi.Input; /** * The ID of the local network gateway when creating Site-to-Site connection (i.e. when `type` is `IPsec`). */ localNetworkGatewayId?: pulumi.Input; /** * The location/region where the connection is located. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * The name of the connection. Changing the name forces a new resource to be created. */ name?: pulumi.Input; /** * The ID of the peer virtual network gateway when creating a VNet-to-VNet connection (i.e. when `type` is `Vnet2Vnet`). The peer Virtual Network Gateway can be in the same or in a different subscription. Changing this forces a new resource to be created. */ peerVirtualNetworkGatewayId?: pulumi.Input; /** * Bypass the Express Route gateway when accessing private-links. When enabled `expressRouteGatewayBypass` must be set to `true`. Defaults to `false`. */ privateLinkFastPathEnabled?: pulumi.Input; /** * The name of the resource group in which to create the connection Changing this forces a new resource to be created. */ resourceGroupName: pulumi.Input; /** * The routing weight. Defaults to `10`. */ routingWeight?: pulumi.Input; /** * The shared IPSec key. A key could be provided if a Site-to-Site, VNet-to-VNet or ExpressRoute connection is created. */ sharedKey?: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * One or more `trafficSelectorPolicy` blocks which are documented below. * A `trafficSelectorPolicy` allows to specify a traffic selector policy proposal to be used in a virtual network gateway connection. * For details about traffic selectors refer to [the relevant section in the Azure documentation](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps). */ trafficSelectorPolicy?: pulumi.Input; /** * The type of connection. Valid options are `IPsec` (Site-to-Site), `ExpressRoute` (ExpressRoute), and `Vnet2Vnet` (VNet-to-VNet). Each connection type requires different mandatory arguments (refer to the examples above). Changing this forces a new resource to be created. */ type: pulumi.Input; /** * If `true`, policy-based traffic selectors are enabled for this connection. Enabling policy-based traffic selectors requires an `ipsecPolicy` block. Defaults to `false`. */ usePolicyBasedTrafficSelectors?: pulumi.Input; /** * The ID of the Virtual Network Gateway in which the connection will be created. Changing this forces a new resource to be created. */ virtualNetworkGatewayId: pulumi.Input; }